Researchers discovered a new flaw in RARlab’s UnRAR utility, tracked as CVE-2022-30333, that can be exploited by remote attackers to execute arbitrary code on a system that relies on the binary, like Zimbra webmail servers.
The CVE-2022-30333 flaw in the unrar binary developed by RarLab is a File Write vulnerability that could be exploited by tricking victims into extracting maliciously crafted RAR archives.
An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive. If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system.
An attacker can fully compromise a server and install a backdoor and use the compromised machine as a pivot to target other systems withing the organization.
The issue stems from a symbolic link attack, threat actors could create a RAR archive containing a symlink that contains forward and backslashes to bypass current checks and extract it outside of the target extraction directory.
The flaw resides in a function that converts backslashes (‘\’) to forward slashes (‘/’) to RAR archives created on Windows to be extracted on Unix systems.
The attacker can exploit this flaw to write arbitrary files anywhere on the target filesystem, including writing a JSP shell into a web directory shell in Zimbra’s web directory.
Most Zimbra instances have their services distributed across multiple servers and thus this path of exploitation is not possible on most installations. Its recommend upgrading unrar immediately, even if your web server and mail server are not on the same physical machine.